Threat Modeling From The Trenches To The Clouds SESSION ID: Brook S.E. Schoenfield Threat Modeling...
Transcript of Threat Modeling From The Trenches To The Clouds SESSION ID: Brook S.E. Schoenfield Threat Modeling...
#RSAC
SESSION ID:SESSION ID:
#RSAC
Brook S.E. Schoenfield
Threat Modeling From The Trenches To The Clouds
AIR-W02
Passionate security architectCurious questionerPrincipal Engineer, Intel Security
#RSAC
Based Upon What?
Trained 100’s of security architects over 15+ years
51 Intel Security TM training sessionsTM every type of architecture— Below OS to global clouds
300+ people trained throughout Intel + 3 teachers
#RSAC
From What Exprience Is This Drawn?
Trained 100’s of security architects over 15 years
51 Intel Security TM training sessionsTM every type of architecture— Below OS to global clouds
300+ people trained throughout Intel +3 teachers
#RSAC
Threat modeling is a technique to identify the attacks a system1 must resist and the defenses that will bring the system to a desired defensive state
1. “system” is defined inclusively
Working Definition
#RSAC
Our Collective Challenge == Secure Design
Little progress in 20+ years!Early standard = NIST 800-14, 1996!
Is it simply that “developers don’t care”?Or, “developers are dumb”? Or, “Developers have no training”
#RSAC
Consider Recent Design Misses
That Jeep Wrangler
Open WiFi Pacemaker
The Target breach was a system design failure
#RSAC
Old Guard
Central team• Consultants
/employees
Parachute into project
Find as many “flaws1” as
possible
Generate requirements •unprioritized
On to next TM Pre-release governance
1. Gary McGraw’s term
#RSAC
Old Guard
Central team• Consultants
/employees
Parachute into project
Find as many “flaws1” as
possible
Generate requirements •unprioritized
On to next TM Pre-release governance
1. Gary McGraw’s term
#RSAC
Are These Your Challenges?
Only staff critical apps
Fight between “creativity” & “security”
Security requirements don’t can’t be built
Business always trumps security
Threat model treated as irrelevant or bureaucratic
Security are synonymous with ”No”
#RSAC
Be Different!
Decentralize
Fully empower
Skill can be built, difficult to buy1-2 highly skilled hires who both execute and teach
Play a long game, sometimes a very long game
Teach, coach, mentor, let go
#RSAC
Be Different!
Decentralize
Fully empower
Skill can be built, difficult to buy1-2 highly skilled hires who both execute and teach
Play a long game, sometimes a very long game
Teach, coach, mentor, let go
Wash
Rinse
Repeat
#RSAC
Grassroots
TM is part of the ”woodwork”, the “expected” flow
Go viral: build generations of teachers
Leverage each level of skill
#RSAC
Involve Everyone
Team sportEveryone! Really!
It takes a village to build a complete threat model
Prioritization is hard. All the stakeholders must be involved
It’s fun! (yeah, it really is)
• Product managers• Quality people• Devops• SDETs• Developers
• Designers• Architects• Security experts• Facilitator• Project management
#RSAC
A threat model is a crossroads of knowledge from architecture experts, domain experts, and security expertsAbsence of one or more stakeholders cripples the model and its usefulness
#RSAC
Iteration Is Your Friend
Let the threat model breathe
Security implementation can improve through iteration
Changes of structure trigger review of model
Changes to security trigger re-evaluation Especially of the design
#RSAC
Prioritizing
Risk is the way! Calculating risk is difficult
Adopt an easy risk analysis methodologyJust Good Enough Risk Rating (JGERR)1 or similar
Work towards the intended postureParticular systemRelevant threat agentsImpactful assetsUser expectationsSystem OwnersOrganization’s risk tolerance
1. co-author, Vinay Bansal, 2008, based upon Factor Analysis of Information Risk, Jack Jones, Open Group Standard
#RSAC
Prioritizing
Risk is the way! But that’s hard
Adopt an easy risk analysis methodologyJust Good Enough Risk Rating1 or similar
Must understand the intended postureParticular systemUser expectationsSystem OwnersOrganization’s risk tolerance
1. co-author, Vinay Bansal, 2008, based upon Factor Analysis of Information Risk, Jack Jones, Open Group Standard
#RSAC
Get Out And See The Architectural World
Analyze unfamiliar architectures and unfamiliar structural types
Build skill; attend analysis with othersAcross organizational boundariesAcross projects
#RSAC“Keystone” activityParticipation results:
Why security is crucial
What to worry about and what not Sense of the risk posture for their systemPriorities
How each role contributes
SDL tasks, Security Definition of Done
#RSAC
Peer Review Governance
Central boards are a bottleneck
The best don’t have to “approve” every model
#RSAC
Learn By Doing
Experience -> Reflection -> Integration1
Let participants find personal learning
Active participation
Solve problems
Keep didactic to a minimum
Problems highlight concepts
Exercises increase in difficulty and scope
Every analysis holds validity (even if off-base)
1. Empowered learning model – Eric Bear, Mary Klein, et al,based on Pedagogy of the Oppressed – Paulo Freire, 1968
#RSAC
The Downside
Trees for the forest analyses
Accepting component threat models w/o analysis
Lose the centre
Poor visibility of errors
#RSAC
Take Aways
Build, because we couldn’t buy/hireGrassroots + management + executivesTrain & mentor as though our lives depend upon it
Don’t sweat the small stuff!Exceptions are my friends
Involve everyone
Iterate to stay in sync and for improvement
Peer review => governance
Threat modeling is The Keystone activity
Continual care and feeding
#RSAC
Shameless Self-promotion
https://www.facebook.com/securingsystems
#RSAC
A Threat Modeling Library
https://www.facebook.com/securingsystems
#RSAC
Developer-centric Security
Enable creativity and innovation
Secure innovation
Let’s start a movement!
#RSAC
Some Resources
https://www.owasp.org/index.php/Application_Threat_Modelinghttps://www.owasp.org/index.php/Threat_Risk_Modelinghttps://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdfhttp://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdfhttps://www.facebook.com/securingsystemshttp://www.amazon.com/Securing-Systems-Applied-Security-Architecture/dp/1482233975https://www.facebook.com/softwaresecwww.amazon.com/Core-Software-Security-Source
#RSAC
Where To Find Me
http://www.brookschoenfield.com
@BrkSchoenfield
1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
#RSAC
Brook’s Social Networking
https://www.linkedin.com/in/brookschoenfield 1
http://www.amazon.com/Brook-S.-E.-Schoenfield/e/B00XQFZLSW
1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.